Computer systems connected to a network are being attacked frequently by uniquely developed or customized malware. Especially, targeted attacks to specific enterprises are increasing. In majority of these attacks, a user terminal in an enterprise is infected first with a remote-controlled malware, and then, the infected terminal is used as a steppingstone to intrude into other user terminals of the enterprise to infect the other user terminals with the remote-controlled malware.
A signature-based detection method has been known in which a pattern of communication data for a remotely controlled operation is defined for each malware and then, the pattern is compared with communication data flowing in a network to detect malware. However, in the signature-based detection method, only the malware for which the pattern of the communication data is previously defined can be detected and thus, the customized malware or uniquely developed malware may not be detected.
Japanese Patent Application Laid-Open No. 2004-179999, Japanese Patent Application Laid-Open No. 2006-157144 and Japanese Patent Application Laid-Open No. 2006-11683 have been known as examples of the prior art.